As far as I understand your question there is no standard reference in measuring risk. Each person, each group of persons, each organization has its own standard for measuring risks. Even, what for some is a risk, for others is an opportunity.
How it is measured? qualitative or quantitative?
Normally, organizations develop quantitative methods to evaluate risk significance. They can use a matrix like this one:
To get results like this one:
As a consultant, working with different organizations, normally I use that matrix approach, but I already used with some clients a more subjective and qualitative approach.
How to identify risks?
According to ISO 9001:2015 I recommend determining risks about:
The business context (clause 6.1, 41 and 4.2)
The products and services (clause 5.1.2 b))
The processes (clause 4.4.1 f))
Think about expected results and what kind of uncertainties can deviate your organization from meeting them.
Think about what can generate or promote undesirable results.
Where to base your assessment? example manufacturing of foam industries.
As far as I understand your question, start with my previous answer. What are your organizations main objectives and what in the business context can help or hinder in meeting them?
The following material will provide you more information about risks and opportunities: